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CLINTON E-MAIL INVESTIGATION 

MISHANDLING OF CLASSIFIED - UNKNOWN SUBJECT OR COUNTRY (SIM) 



This report recounts the information collected in this investigation. It is not intended to address potential inconsistencies in, or the 
validity of, the information related herein. 
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(U// TOUO ) On July 10, 2015, the Federal Bureau of Investigation (FBI) initiated a full 
investigation based upon a referral received from the US Intelligence Community Inspector 
General (1C1G), submitted in accordance with Section 811(c) of the Intelligence Authorization 
Act of 1995 and dated July 6, 201 5, regarding the potential unauthorized transmission and 
storage of classified information on the personal e-mail server of former Secretary of State 
Hillary Clinton (Clinton)/' The FBI's investigation focused on determining whether classified 
information was transmitted or stored on unclassified systems in violation of federal criminal 


■' (L7/rOU©) For a complete listing of the interviews conducted, electronic media collected, legal process issued, and classified c- 
mails identified during this investigation, please refer to Appendices A-D. As background. Clinton was Secretary of Slate from 
Januaiy 21. 2009 through February I. 2013. 
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statutes and whether classified information was compromised by unauthorized individuals, to 
include foreign governments or intelligence services, via cyber intrusion or other means. 
(U/ /TOUQ ) In furtherance of its investigation, the FBI acquired computer equipment and mobile 
devices, to include equipment associated with two separate e-mail server systems used by 
Clinton, and forensically reviewed the items to recover relevant evidence In response to FBI 
requests for classification determinations in support of this investigation, US Intelligence 
Community (USIC) agencies determined that 81 e-mail chains, b c which FBI investigation 
determined were transmitted and stored on Clinton 1 s UNCLASSIFIED personal server systems, 
contained classified information ranging from the CONFIDENTIAL to TOP SECRET/SPECIAL 
ACCESS PROGRAM levels at the time they were sent between 2009-2013 USIC agencies 
determined that 68 of these e-mail chains remain classified. In addition, the classification 
determination process administered by the US Department of State (State) in connection with 
Freedom of Information Act (FOIA) litigation identified approximately 2,000 additional e-mails 
currently classified CONFIDENTIAL and 1 e-mail currently classified SECRET, which FBI 
investigation determined were transmitted and stored on at least two of Clinton' s personal server 
systems. d 


(U/ /FOUO) The FBI' s investigation and forensic analysis did not find evidence confirming that 
Clinton' s e-mail accounts or mobile devices were com promised -by cyber means. However, 
investigative limitations, including the FBI' s inability to obtain all mobile devices and various 
computer components associated with Clinton's personal e-mail systems, prevented the FBI from 
conclusively determining whether the classified information transmitted and stored on Clinton' s 
personal server systems was compromised via cyber intrusion or other means. The FBI did find 
that hostile foreign actors successfully gained access to the personal e-mail accounts of 
individuals with whom Clinton was in regular contact and, in doing so, obtained e-mails sent to 
or received by Clinton on her personal account. 


1. (U/ /FQHO) Clinton's Personal E-Mail Server Systems 

A. (U ‘I'OIK)) Initial E-mail Server: June 2008 March 2009 

(U//F OU0 ) In or around 2007, Justin Cooper, at the time an aide to former President William 
Jefferson Clinton (President Clinton), purchased an Apple OS X server (Apple Server) for the 
sole purpose of hosting e-mail services for President Clinton's staff. 12 Due to concern over 
ensuring e-mail reliability and a desire to segregate e-mail for President Clinton' s various post- 
presidency endeavors, President Clinton's aides decided to maintain physical control of the 
Apple Server in the Clinton residence in Chappaqua, New York (Chappaqua residence) ’ J 3 
According to Cooper, in or around June 2008, a representative from Apple installed the Apple 
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h ( L7/FOU©} The number of classified e-mail chains idcniificd ma> change as classification determination icsponscs continue to 
bc returned to the FBI. 

' (L7/ rQUO ) For the putposcs of the FBI' s investigation, an "e-mail chain is defined as a set of e-mail responses having the 
same initial e-mail. The subject line may bc edited in these chains to reflect the purpose of the forward or rcpl> 

0 (L7/FOUO) State did not provide a determination with respect to the classification of these e-mails at the time they were sent. 
According to State Under Secretary of Management. Patrick Kcnncdx. unclassified information provided to State in confidence 
can later bc considered classified when it is "further assessed the disclosure of such information might damage national sccurin 
or diplomatic relationships. " Such information is referred to as " up-class or "up-classified. 
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Server 0 in the basement of the Chappaqua residence/’ The FBI was unable to obtain records 
from Cooper or Apple to verify the installation. At the time, Cooper was the only individual with 
administrative access to the Apple Server; however, the Clinton family and their Chappaqua 
residence staff had physical access to the Apple Server. 89 The Apple Server initially hosted the 
domains presidentclinton.com and wicoffice.com . which were used by President Clinton 1 s 
staff. r ,0 - 

(U//F OUQ ) Prior to January 21 , 2009, when she was sworn in as the US Secretary of State, 

Clinton used a personally-acquired BlackBerry device with service initially from Cingular 
Wireless and later AT&T Wireless, to access her e-mail accounts 1214 Clinton initially used the 
e-mail addresses hrl 5@mvcingular blackberry net and then changed to 
hr 1 5@att.blackberry.net 14-1 5 According to Cooper, in January 2009, Clinton decided to stop 
using her hrl 5@att.blackberry.net e-mail address and instead began using a new private domain, 
clintonemail.com , to host e-mail service on the Apple Server. 16 Clinton stated to the FBI that she 
directed aides, in or around January 2009, to create the clintonemail com account, and as a 
matter of convenience her clintonemail com account was moved to an e-mail system maintained 
by President Clinton's aides. 1 ' While Cooper could not specifically recall registering the domain. 

Cooper was listed as the point of contact for clintonemail .com when the domain was registered 
with a domain registration services company. Network Solutions, on January 13, 2009. 18 19 
Clinton used her att.blackberry.net e-mail account as her primary e-mail address until 
approximately mid-to-late January 2009 when she transitioned to her newly created 
hdr22@clintonemail.com account/" 21 The FBI did not recover any information indicating that 
Clinton sent an e-mail from her hrl 5@att blackberrv.net e-mail after March 18, 2009. 

(U //FOUO ) According to Cooper, in or around January 2009 the decision was made to move to 
another server because the Apple Server was antiquated and users were experiencing problems 
with e-mail delivery on their BlackBerry devices/ 2 2 ’ At the recommendation of Huma Abedin, 

Clinton 1 s long-time aide and later Deputy Chief of Staff at State, in or around fall 2008. Cooper 
contacted Bryan Pagliano, who worked on Clinton 1 s 2008 presidential campaign as an 
information technology specialist, to build the new server system and to assist Cooper with the 
administration of the new server system. 24 ' 2 '' 2 ' 1 ' 2 Pagliano was in the process of liquidating the 
computer equipment from Clinton' s presidential campaign when Cooper contacted Pagliano 
about using some of the campaign 1 s computer equipment to replace the existing Apple Server at 
Clinton' s Chappaqua residence. 29 Pagliano was unaware the server would be used by Clinton 
at the time he was building the server system, rather, he believed the server would be used by 
President Clinton' s staff. ’ Clinton told the FBI that at some point she became aware there was a 
server in the basement of her Chappaqua residence 1 1 However, she was unaware of the 
transition from the Apple Server managed by Cooper to another server built by Pagliano and 
therefore, was not involved in the transition decision/" 

B. (II TO I/O) Second E-mail Server: March 2009 June 2013 



c (U// C QI?f)) The Apple Sewer consisicd of an Apple Power Macintosh G4 or G5 lower and an I IP printer. 

1 (L7/F6UO) Investigation determined \ pious CilldOiCCS Ql PlCSidCItt Cliiiion lUaiiUaittCfl t-iliail aCCQUttlS USUltt Lite 

nrcsirtaiurtininn com rinniriin in inrlnrld . 

| President Clinton did not maintain an e-mail account on the Apple Sewer. The e-mail 
domain wico fficc.com was primarily a legacy domain that contained mostly forw arded e-mail. 
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(U/ /FQUO ) Between the fall of 2008 and January 2009, Pagliano requisitioned the original 
hardware for the second e-mail server from Clinton's presidential campaign headquarters in 
Arlington, VA " In addition to hardware acquired from Clinton's presidential campaign, 
Pagliano and Cooper g purchased additional necessary equipment through commercial 
vendors. 44 ' 45,<u 7 In March 2009, after Pagliano had acquired all of the server equipment and 
installed the necessary software, he and Cooper met at Clinton' s Chappaqua residence to 
physically install the server and related equipment in a server rack in the Clintons' 
basement. Iv,x ’ 9 

(U// TOUO ) Once the new server system' was physically installed and powered on, Pagliano 
began migrating the e-mail data from the Apple Server to the Pagliano-administered server 
system (Pagliano Server) 40 Pagliano believed he “popped out” all of the e-mail from the Apple 
Server and that no e-mail content should have remained on the Apple Server once the migration 
took place. 41 Pagliano st ated to the FBI tha t he only transferred clintonemail.com e-mail 

accounts for Abedin and From the Apple Server and said he was unaware of and 

did not transfer an e-mail account for Clinton.-’' 42 However, Cooper stated to the FBI that he 
believed Clinton had a clintonemail.com e-mail account on the Apple Server, and that Abedin 
did not have a clintonemail.com account on the Apple Server. 44 As the FBI was unable to obtain 
the original Apple Server for a forensic review for reasons explained below, the FBI cannot 
determine which clintonemail.com e-mail accounts were hosted on, and transferred from, the 
Apple Server to the Pagliano Server. 

(U/ /FQUQ ) After the e-mail account migration was completed, Cooper changed the Mail 
Exchange (MX) records' 1 to ensure that delivery of all subsequent e-mail to or from e-mail 
addresses on the presidentclinton.com and clintonemail.com domains would be directed toward 
the new Pagliano Server instead of the Apple Server. 44 The Pagliano Server was only used for e- 
mail management, and the FBI' s review of the oldest available backup image of this server, 
dated June 24, 201 3, did not indicate that any e-mail users' files were stored on the Pagliano 
Server. 45 


(U//FOU0) In March 2009, following the e-mail migration from the Apple Server to the 
Pagli ano Server the Annie Server was re purposed to serve as a personal computer for household 

staff. 4 Jat Clinton' s Chappaqua residence, subsequently used the 

Apple Server equipment as a workstation. 4 In 2014, the data on the Apple computer was 
transferred to an Apple iMac computer, and the hard drive of the old Apple computer, which 


•" (U //TOUO ) Cooper liaq pud was often responsible for reimbursing 

stuff for pnrchascs/cxpcnses. 

11 (L7/FOUO) Pagliano visited Clinton' s Chappaqua residence on at least tlircc occasions to work on the server in March 2009. to 
install the server: in June 201 1. to upgrade the equipment, and in January 2012. to fix a hardware issue. 

' (L7ffOU0> The Pagliano Server initially consisted of the following equipment: a Dell PowcrEdgc 2900 server miming 
Microsoft Exchange fore-mail hosting and management, a Dell PowcrEdgc 1950 server running BlaekBcrry Enterprise Server 
(BES) for the management of BlaekBcrry dev ices, a Seagate external hard drive to store backups of the Dell PowcrEdgc 2900 
server, a Dell switch, a Cisco firewall, and a power supply . 

1 (L7/FOUO) An e-mail obtained during the FBI investigation from Cooper to Clinton, indicated that in April 2009. Cooper was 
preparing to update Clinton' s BlaekBcrry to "put it on our new s\ stem." 

k (U) An MX record determines which server will handle e-mail deliver) for a domain and is necessary for routing e-mail to its 
proper destination. 
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previously served as the Apple Server was discarded. 4 " On October 14, 2015, Williams & 
Connolly LLP (Williams & Connolly), counsel for Clinton, confirmed to the Department of 
Justice (DOJ) that a review of the iMac was conducted, pursuant to a request by DOJ, and no e- 
mails were found belonging to Clinton from the period of her tenure as Secretary of State. 40 

(U/ /FOLIO ) Pagliano and Cooper both had administrative accounts on the Pagliano Server. 40 At 
Cooper's direction, Pagliano handled all software upgrades and general maintenance 41 Cooper 
described his role as “the customer service face,” and he could add users or reset passwords on 
the e-mail server. 4 ~ Cooper and Pagliano both handled the acquisition and purchase of server- 
related items. 54 For example, in March 2009, Cooper registered a Secure Sockets Layer (SSL) 1 
encryption certificate at Pagliano' s direction for added security when users accessed their e-mail 
from various computers and devices. 44 ” Clinton stated she had no knowledge of the hardware, 
software, or security protocols used to construct and operate the servers 46 When she experienced 
technical issues with her e-mail account she contacted Cooper for assistance in resolving those 
issues. 57 


(U//FOWO) Pagliano stated that a complete backup of the Pagliano Server was made on a 
Seagate external hard drive once a week and a differential backup" 1 was completed every day, 
and this continued from the initial Pagliano Server installation in March 2009 until June 201 1 
when the external hard drive was replaced. 4 " As space on the hard drive ran out, backups were 
deleted on a “first in, first out” basis. 40 In June 2011, Pagliano replaced the Seagate external hard 
drive with a Cisco Network Attached Storage (NAS) device, to store backups of the server/ 10 
The FBI was unable to forensically determine how frequently the NAS captured backups of the 
Pagliano Server. 


(U//FOUO) According to Pagliano, in early 2013, due to user limitations and reliability concerns 
regarding the Pagliano Server, staff for Clinton and President Clinton discussed future e-mail 
server options, and a search was initiated to find a vendor to manage a Clinton e-mail server"/’ 1 
Additionally, Pagliano' s expressed desire to seek new employment contributed to the deci sion to 
move to a new server/’ 2 A se arch for the new vendor was facilitated with the assistance of j 

llnfograte, an information technology consulting company. 65,6 


| |was introduced to Clinton 1 s Ch ief of St aff, Cheryl Mills, on or about January 2, 2013 

through a mutual business associate/’ ! S tated she worked with Mills and Pagliano to 
produce a request for proposal which was used to solicit responses from multiple firms, 
including Denver-based information technology firm Platte River Networks (PRN)/’ Clinton 
recalled that the transition to the PRN Server was initiated by President Clinton 1 s aides seeking a 
higher level of ser vice than could be provided by the Pagliano Server/’ 14 Pagliano identified 
President Clinton' s as making the final decision to 

select PRN 60 In the spring of 2013, PRN negotiated the terms of the contract to host e-mail 
services and eventually signed a Service Level Agreement on July 18, 2013. 70 ' 71 


(L ) SSL is a sccuriiy protocol used to establish an cncn pted connection between a server and another machine, allowing 
sensitise information such as login credentials or credit card information to be transmitted in an encrypted format instead of in 
plain text. SSL certificates, issued by a third-party Certificate Authority, arc small files that must be installed on servers to 
establish scenic sessions with web browsers. 

(U) A differential backup is a cumulative backup of all changes tltat have occurred sinc e the last full back up. 

" (L7 /FOUO ) The new Clinton e-mail server hosted e-mail for Clinton. President Clinton! land their respective 

staffs. 
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(l! 'EO I/O) Third E-mail Server: Jane 2013 October 2015 


Following the selection of PRN to manage the Clintons' personal e-mail server and 
accounts, PRN's management assigned two PRN employees to handle the prim ary installation 


and administration of the t hird server syst em (PRN Server). \ 
re motely from his h ome in 


and 


who worked 


[handled day-to-day administration for the PRN Server, 

Jwho worked at PRN's headquarters in Colorado, handled all hardware 
installation and any required physical (i. e “hands-o n”) maintenance for the PRN Server. 0 ° 
During the transition to the PRN Server,! advised he worked with Pagliano to 


understand the existing ar chitecture of the Pagliano Server. 74 As part of this transition process, 
on or around June 4, 201 3 ] | was granted administrator access to the Pagliano Server, as 

well as any accompanying services, such as the domain registration services through Network 
Solutions. 75-76 ' 77 ' 7 * 4 


(U// FOUO ) On June 23, 201 3\ [traveled to Clinton' s Chappaqua residence, where he 

powered down the Pagliano Server and transported it to a datacenter in Secaucus, New Jersey, 
run by Equinix, Inc. (Equinix). 7 ' 7 '* 4 "' 141 The PRN Server remained at the Equinix fa cility until it 
was voluntarily produced to the FBI on October 3, 2015. 142 145 The only equipment! 


left 


at the Chappaqua residence was the existing Firewall and switch, since PRN intended to purchase 
its own firewalls and switches. * 1 ~ reconnected and powered on the equipment for the 


Pagliano Server at the datacenter, so users could connect to their e-mail accounts,*^ and he 
continued to work at the datacenter for a few days setting up the remaininu equipment for the 

"[co mpleted all o f the onsite work, while | worked remotely to 

Afteil ]eft Secaucus, New Jersey, to travel back to PRN' s 


PRN Server.* 
get the server online. 1 

headq uarters, all p hysical pieces of hardware had been installed except for an intrusion detection 
told the FBI that Equinix installed this device shortly after he left because the 

_ j i I-* XX 


device 

intrusion detection device was shipped later. 


On or around June 30, 2013, 


began to remotely migrate all e-mail 

X9 j-. • . v • _ • .■ • j . l. . 


accounts from the Pagliano Server to the PRN Server. During this migration period, the two 
server systems functioned together to ensure uninterrupted e-mail delivery to users.' 711 After 
several days of migration, all e-mail accounts hosted on the presidentclinton.com . wicoffice.com , 
and clintonemail.com domains were transferred to the PRN Server/ 1 y| At that point, PRN kept 
the Pagliano Server online to ensure e-mail was still being delivered, however, the Pagliano 
Server was no longer hosting e-mail services for the Clintons. 72 
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0 (U/ff©©©) A third PRN employee.^ 


] only handled a few tasks related to the administration of the scivcr system 


until he left the company in the summer of 2015. 

p (L7/FOI5©) The PRN" Scivcr consisted of the follow ing equipment: a Dell PouciEdgc R620 server hosting four virtual 
machines, including four separate virtual machines for Microsoft Exchange e-mail hosting, a BES for the management of 
BlackBcrry dev ices, a domain controller to authenticate password requests, and an administrative server to manage the other 
three virtual machines, a Datto SIRIS 2000 to store onsite and remote backups of the server system, a CloudJackct dev ice for 
intrusion prevent ion, two Dell switch es, and two Fortinct Fortigatc 80C firewalls. 

” (L7 / P OE0 ) Thd Idomain was also added to the PRN Server at a later date. 
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As part of the PRN Server environment^ 


old the FBI that he configured a 
backup device from Connecticut-based company Datto, Inc. (Datto), a Datto SIRIS 2000,' to 
take multiple snapshots of the server system daily, with a retention period of 60 days. 9 ' 1 The 
backup device also made multiple copies of the Pagliano Server between June 24, 2013 and 
December 23, 201 3. 94 At the Clintons' request, PRN only intended that the backup device store 
local copies of the backups. 9:, ' % However, in August 2015, Datto informed PRN that, due to a 
technical oversight, the PRN Server was also backing up the server to Datto' s secure cloud 
storage. 97 98 After this notification, PRN instructed Datto to discontinue the secure cloud 
backups. 


‘19. IOO 


(U//FOUO) stated the Clintons originally requested that e-mail on the PRN Server be 

encrypted such that no one but the users could read the content. 1,11 However, PRN ultimately did 
not configure the e-mail settings this way to allow system administrators to troubleshoot 
problems occurring within user accounts 102 


(U//F OUO ) PRN utilized an Intrusion Detection System (IDS)/Intrusion Prevention System 
(IPS) called CloudJacket from SECNAP Network Security. |0 ' The IDS/IPS device implemented 
by PRN had pre-configured settings that blocked or blacklisted certain e-mail traffic identified as 
potentially harmful and provided real-time monitoring, alerting, and incident response 
services. 11,4 l0:> SECNAP personnel would receive notifications when certain activity on the 
network triggered an alert. 1,,f> These notifications were reviewed by SECNAP personnel and, at 
times, additional follow-up was conducted with PRN in order to ascertain whether specific 
activity on the 
notifications 


% 


etwork wa s normal or anomalous 10 Occasionally, SEC NAP would s end e-mail 
prompting him to block certain IP addresses. |0 1 


described 


these notifications as normal and did not recall any serious security incident or intrusion 
109 PRN also implemented two firewalls for additional protection of the network. 
Istated that he put two firewalls in place for redundancy in case one went down. 1 10 


attempt. 


(U/ /FOUO ) According to the FBI 1 s forensic analysis of the server system, on December 3, 201 3, 
Microsoft Exchange was uninstalled on the Pagliano Server. 1 1 1 The Pagliano Server remained in 
the same server cage at the Equinix datacenter in Secaucus, New Jersey, and a forensic review of 
the server, which was obtained in August 2015 via consent provided by Clinton through 
Williams & Connolly, indicated that it continued to be powered on and off multiple times before 
the FBI obtained it. 112 At the time of the FBI' s acquisition of the Pagliano Server, Williams & 
Connolly did not advise the US Government (USG) of the existence of the additional equipment 
associated with the Pagliano Server, or that Clinton's clintonemail.com e-mails had been 
migrated to the successor PRN Server remaining at Equinix. The FBI' s subsequent investigation 
identified this additional equipment and revealed the e-mail migration As a result, on October 3, 
2015, the FBI obtained, via consent provided by Clinton through Williams & Connolly, both the 
remaining Pagliano Server equipment and the PRN Server, which had remained operational and 
was hosting Clinton' s personal e-mail account until it was disconnected and produced to the 

pgj 113. 114.115. 116 
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1 (U) The Datlo SIRIS 2(11)0 is a device that provides back-up capability and daia redundancy. 
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(U//FOW©) Investigation determined Clinton a nd Abedin began using new e-mail accounts on 
the domain hrcoffice.com in December 2014. 1,1 1 



| Abedin stated the clintonemail.com system was “going away” and, 

following t he initiation of the new domain. Abedin did not have access to her clintoneinail .com 
account. I20 | 


| Thi s i s con si stent wi th 

representations made by Williams & Connolly, which stated in a February 22, 2016 letter: 
“Secretary Clinton did not transfer her clintonemail.com e-mails for the time period January 21, 
2009 through February 1, 2013 to her hrcoffice.com account The investigation found no 
evidence Clinton' s hrcoffice.com account contained or contains potentially classified 
information or e-mails from her tenure as Secretary of State. The FBI has, therefore, not 
requested or obtained equipment associated with Clinton' s hrcoffice.com account. 

I). (II VO VO) Mobile Devices Associated with Clinton's E-mail Server Systems 

(U/ /FQUO ) Clinton stated she used a personal e-mail address and personal BlackBerry for both 
personal and official business and this decision was made out of convenience. 124 Abedin recalled 
that at the start of Clinton' s tenure, State advised personal e-mail accounts could not be linked to 
State mobile devices and, as a result, Clinton decided to use a personal device in order to a void 
carrying multiple devices. I25r 1 



Y 1 ’ Cooper stated that he was aware of Clinton using a second mobile phone 

number. 5 ' 1 214 Cooper indicated Clinton usually carried a flip phone along with her BlackBerry 
because it was more comfortable for communication an d Clinton w as able to use her BlackBerry 
while talking on the f ip phone. I2 ' ; Clinton believed 212 1 I was her primary BlackBerry 

phone number, and she did not recall using a flip phone during her tenure at State, only during 
her service in the Senate. 11 Abedin and Mills advised they were unaware of Clinton ever using 
a cellular phone other than the BlackBerry. 1 ’ 1 I>2 


(U//F0U6) FBI inv estigation id entifie d 13 total m obile devices, associated with her two known 

phone numbers, 212 and 212 which potentially were used to send e-mails 

using Clinton's clintonemail.com e-mai addresses. 1 ” Investigation determin ed Clinton u sed in 


succession 1 1 e-mail capable BlackBerry mobile devices associated with 212l 


I eight of 


which she used during her tenure as Secretary of State, 
two e-mail capable mobile devices associated with 212 



iuation identified Clinton used 
lafter her tenure. 1 ^ On 


5 (L7 /FOUO) During his interview with the FBI. Cooper was mistaken!} show n ' 2 0 2 1 | as the seco nd phone num ber. 

Cooper recognized the phone number as Clinton’s s econd numb er, however the correct phone number is 212 | 

' (L7/TOD©) AT&T toll records associated w ith 2 1 j* I ndicated the number was consistently used for phone calls in 

2009 and then used sporadical!} through the duration of Clinton’s tenure and the years following. Records also showed that no 
BlackBerry devices were associated with tills phone number. _ 

“ (LV/FOd'O) The FBI identified four additional mobile devices associated with 2 1 2 j I which were used during Clinton's 

tenure. However, these devices lacked e-mail capability, and as a result the FBI did not conduct any further investigation 
regarding these devices. 
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Feb ruary 9, 2016, DOJ requested all 13 mobile devices from Williams & Connolly. 1 ' 6 Williams 
& Connolly replied on February 22, 2016 that they were unable to locate any of these devices. m 
As a result, the FBI was unable to acquire or forensically examine any of these 13 mobile 
devices. 

(U// FOUO ) On October 16, 2015, Williams & Connolly provided two other BlackBerry devices 
to the FBI and indicated the devices might contain or have previously contained e-mails from 
Clinton 1 s personal e-mail account during her tenure as Secretary of State.' 1 ' xl ’ y FBI forensic 
analysis found no evidence to indicate either of the devices provided by Williams & Connolly 
were connected to one of Clinton' s personal servers or contained e-mails from her personal 
accounts during her tenure 140141 142 

(U//FOUO) The FBI identified five iPad devices associated with Clinton which potentially were 
used to send e-mails from Clinton' s clintonemail com e-mail addresses. I4!U44-14 146 The FBI 
obtained three of the iPads ,47I4X - 149 One iPad contained three e-mails from 2012 in the 
hdr22@clintonemail.com “drafts” folder. Lv> The FBI assessed the three e-mails did not contain 
potentially classified information 141 The FBI did not recover e-mails from Clinton's personal e- 
mail accounts from either of the other two iPads in its possession i>2 

(U/ / -F 0U 6) Monica Hanley, a former Clinton aide, often purchased replacement BlackBerry 
devices for Clinton during her tenure at State l! ” Hanley recalled purchasing most of the 
BlackBerry devices for Clinton from AT&T stores located in the Washington, D.C. area. 1,4 
Whenever Clinton acquired new mobile devices. Cooper w as usual ly responsible for setting up 

the new devices and syncing them to the server 1:0 Abedin and Hanley also assisted 

Clinton with setting up any new devices. 156 According to Abedin, it was not uncommon for 
Clinton to use a new BlackBerry for a few days and then immediately switch it out for an older 
version with which she was more familiar. 157 Clinton stated that when her BlackBerry device 
malfunctioned, her aides would assist her in obtaining a new BlackBerry, and, after moving to a 
new device, her old SIM cards were disposed of by her aides. L ' x Cooper advised he sometimes 
assisted users, including Clinton, when they obtained a new mobile device by helping them back 
up the data from the old device before transferring it to the new device and syncing the new 
device with Clinton 1 s server 159 Abedin and Hanley indicated the whereabouts of Clinton' s 
devices would frequently become unknown once she transitioned to a new device. 160 161 Cooper 
did recall two instances where he destroyed Clinton' s old mobile devices by breaking them in 
half or hitting them with a hammer 162 

2. (U//FOUO) Clinton's Handling of E-mail and Classified Information 

A. (U t'OUO) Clinton's Decision To Use Personal E-mail and Server Systems 

(U/YF OU Q) FBI investigation determined the State Executive Secretariat 1 s Office of Information 
Resource Management (S/ES-IRM) offered Clinton a State e-mail address at the start of her 


b6 

b7C 


' (UWQLO) The mobile dc\ ices provided io ilic FBI from Williams & Connolly on October 16. 20 1 5 did not contain SIM cards 
or Sccuic Digital (SD) cards. 
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tenure; ho wever, Clinton' s staff" declined the offer 16j According to 

State S/ES-IRM, Clinton was offered a State e-mail address, but instead decided to use 

the personal server from her 2008 presidential campaign. 064 Investigation identified the 
existence of two State-issued e-mail accounts associated with Clinton, however, these accounts 
were used on Clinton' s behalf and not by Clinton herself. According to State, SMSGS@state.gov 
was used to send e-mail messages from the Secretary to all State employees. 165 ,66 This account 
was not configured to receive e-mails, and S/ES-IRM authored the messages sent from this 
account 167 S/ES-IRM created SSHRC@state.i>ov to manage an Outlook calendar for Clinton, 
but this account was not configured to send or receive e-mails other than calendar 
invitations. 16X169 A May 25, 2016 report issued by the State Office of Inspector General (OIG)- 
stated that, during Clinton' s tenure as Secretary of State, the State Foreign Affairs Manual 
(FAM) required day-to-day operations at State be conducted using an authorized information 
system. 1 The OIG stated it found “no evidence” that Clinton sought approval to conduct State 
business via her personal e-mail account or private servers, despite her obligation to do so. 1 11 
Clinton told the FBI that she did not explicitly request permission from State to use a private 
server or e-mail address 1 2 According to the State OIG report. State employees alleged that John 
Bentel, then-Director of S/ES-IRM,_ discouraged employees from raising concerns about 
Clinton 1 s use of personal e-mail. / ~ m When interviewed by the FBI, Bentel denied that State 
employees raised concerns about Clinton 1 s e-mail to him, that he discouraged employees from 
discussing it, or that he was aware during Clinton's tenure that she was using a personal e-mail 
account or server to conduct official State business. 174 

(U//E QU0 ) The FBI investigation determined some Clinton aides and senior-level State 
employees were aware Clinton used a personal e-mail address for State business during her 
tenure. Clinton told the FBI it was common knowledge at State that she had a private e-mail 
address because it was displayed to anyone with whom she exchanged e-mails. 1 5 However, 
some State employees interviewed by the FBI explained that e-mails from Clinton only 
contained the letter “H” in the sender field and did not display her e-mail address. 176 ' 1 ' 7 17X The 
majority of the State employees interviewed by the FBI who were in e-mail contact with Clinton 
indicated they had no knowledge of the private server in her Chappaqua 
residence 1 ' 9 I X " ISI IX2 I X7 IX4 Clinton' s immediate aides, to include Mills, Abedin, Jacob 
Sullivan,™ and ] ~| told the FBI they were unaware of the existence of the private server until 
after Clinton' s tenure at State or when it became public knowledge IX:> ' 1X6 ' IX7 18 
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* (LV/FOL'O) S/ES-IRM employees interviewed indicated they did not communicate diicclly with Clinton regarding tliis issue 
and could not specifically identify the members of Clinton' s immediate staff with whom they spoke. 

'(LV/POrO) According i d l oan of his job at State was to maintain and support the infrastructure for the b6 

UNCLASSIFIED and SECRET networks for the Executive Secretarial. b7C 

v (L7/FQU0) Independent of the FBI's investigation, in April 2015. the State OIG initiated its own investigation and review of 

records management policies and practices regarding the use of non-Staic communications sy stems during the tenure of five 

Secretaries of State, including Clinton. Portions of the State OIG s May 25. 2016 report relevant to the FBI's investigation arc 

cited herein. 

' (U) According to the State OIG report, two State information management staff members approacltcd the Director of the S/ES- 
IRM in 2010 with concerns they had about Clinton's use of a personal e-mail account and compliance with federal rccoids 
requirements. According to one staff member, the Director stated that Clinton's personal sy stem had been rev iewed and approved 
by State legal staff. The Diicctor allegedly told both staff members never to discuss Clinton's personal e-mail sy stem again. OIG 
found no evidence that State legal staff reviewed or approv ed Clinton' s personal e-mail system. 

3a (U) Sullivan served as the Deputy Chief of Staff and later the Director of Policy and Planning during Clinton's tenure as 
Secretary of State. 
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(U//-FOUO) The FBI investigation indicated Clinton was aware her use of a personal device, e- 
mail account, and server did not negate her obligation to preserve federal records. On January 23, 
2009, Clinton contacted former Secretary of State Colin Powell via e-mail to inquire about his 
use of a BlackBerry while he was Secretary of State (January 2001 to January 2005). bb In his 
e-mail reply, Powell warned Clinton that if it became “public” that Clinton had a BlackBerry, 
and she used it to “do business,” her e-mails could become “official record[s] and subject to the 
law.” 19 " Powell further advised Clinton, “Be very careful. I got around it all by not saying much 
and not using systems that captured the data.” 191 Clinton indicated to the FBI that she understood 
PowelP s comments to mean any work-related communications would be government records, 
and she stated Powell' s comments did not factor into her decision to use a personal e-mail 
account. 192 In an e-mail to Mills on August 30, 2011, State Executive Secretary, Stephen Mull, 
cited a request from Clinton to replace her temporarily malfunctioning personal BlackBerry with 
a State-issued device. I9> Mull informed Mills that a State-issued replacement device for 
Clinton' s personal BlackBerry would be subject to FOIA requests. 94 On that same day, Bentel 
sent a separate e-mail to Hanley, which was later forwarded to Abedin, stating that e-mails sent 
to a State e-mail address for Clinton would be “subject to FOIA searches.” 192 A State-issued 
device was not ultimately issued to Clinton; in her FBI interview, Abedin stated she felt it did not 
make sense to temporarily issue Clinton a State BlackBerry because it would have required 
significant effort to transfer all of her e-mails and contacts to a device that she would have only 
used for a few days. I% The Mull and Bentel e-mails to Mills and Hanley did not indicate that 
transferring e-mail and/or contacts from Clinton 1 s clintonemail.com account would be necessary 
to issue her a State BlackBerry. I97J9M99 Abedin stated she always assumed all of Clinton's 
communications, regardless of the account, would be subject to FOIA if they contained work- 
related material. 2 "" 
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(U/ /F - QUO ) While State policy during Clinton' s tenure required that “day-to-da y operations Tat 


State] be conducted on [an authorized informatio n system!.” 2 '" ac cording to the| 
the Bureau of Information Security Management ] there was no restriction on the 

use of personal email accounts for official business. However, State employees were 
cautioned about security and records retention concerns regarding the use of personal e-mail. In 
201 1, a notice to all State employees was sent on Clinton' s behalf, which recommended 
employees avoid conducting State business from personal e-mail accounts due to information 
security concerns. 2 "’ Clinton stated she did not recall this specific notice, and she did not recall 
receiving any guidance from State regarding e-mail policies outlined in the State FAM. 2 " 4 
Interviews with two State employees determined that State issued guidance which required 
employees who used personal e-mail accounts for State business to forward those work -related 


e-mails to their official State account for record-keeping purposes. 


205 . 2(16 


Investigation 


determined that State used the State Messaging and Archive Retrieval Toolset (SMART), which 
allows employees to electronica lly tag e-mails to preserve a record copy. 20 ' Jl9 According to 
l then State' j | SMART was 


developed to automate and streamline the process for archiving records. "^According to the 
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w> (L) According lo Uic Siaic OIG rcpon, when Powell armed at Stale in 2001 . the official unclassified e-mail system in place 
only permitted communication among State employees: thcrcfoic. Powell requested the use of a private line for liis America 
Online (AOL) e-mail account to communicate with indh iduals outside of State. Prior to Powell' s tenure. State employees did not 
hare Internet connectivity on their desktop computers. During Powell's tenure. State introduced unclassified desktop external c- 
nitiil capability on a sy stem know n as OpcnNct. 
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State OIG Report, 1RM introduced SMART throughout State in 2009, however, the Office of the 
Secretary elected not to use the SMART system to preserve e-mails, p artly due to co ncerns that 
the system would “allow overly broad access to sensitive materials.” 2 ’ |t old the FBI 

that representatives from the Executive Secretariat asked to be the last to receive the SMART 
rollout, and ultimately SMART was never rolled out to the Executive Secretariat Office 212 This 
left the “print and file” method as the only approved method by which the Office of the Secretary 
could preserve record e-mails. 214 


(U/ /FQUQ) Mills wrote in a letter to State, dated December 5, 2014, that it was Clinton' s 
practice to e-mail State officials at their government e-mail accounts for official business, and, 
therefore. State already had records of Clinton's e-mails preserved within State recordkeeping 
systems. 214 Abedin also stated in her FBI interview that Clinton's staff believed relevant e-mails 
would be captured and preserved by State if any of the senders or recipients were using an 
official State e-mail account 21 5 The State OIG stated in its report that this was not an appropriate 
method of preserving record e-mails, and Clinton should have preserved any record e-mails 
created and received on her personal account by printing and filing the e-mails in the Office of 
the Secretary. 216 State OIG also determined Clinton should have surrendered all e-mails relating 
to State business before leaving her post as Secretary of State. 21 Clinton stated that she received 
no instructions or direction regarding the preservation or production of records from State during 
the transition out of her role as Secretary of State in early 2013 2114 Furthermore, Clinton believed 
her work-related e-mails were captured by her practice of sending e-mails to State employees' 
official State e-mail accounts. 2 |y 


B. (II i-'OHO) ( ' ommiuiications Equipment in ( ’ Union's State Office and Residences 


determined Clinton did not have a computer in her State office, which 
was located in a Sensitive Compartmented Information Facility (SCIF) on the seventh floor of 
State headquarters, in an area often referred to as “Mahogany Row.” 22 " 221 222 State Diplomatic 
Security Service (DS) instructed Clinton that because her office was in a SCIF, the use of mobile 
devices in her office was prohibited. 224 Interviews of three former DS agents revealed Clinton 
stored her personal BlackBerry in a desk drawer in DS “Post l,” cc which was located within the 
SCIF on Mahogany Row. 224 2 ^ 226 State personnel were not authorized to bring their mobile 
devices into Post 1, as it was located within the SCIF. 22 According to Abedin, Clinton primarily 
used her personal BlackBerry or personal iPad for checking e-mails, and she left the SCIF to do 


so, often visiting State's eighth floor balcony. 228 Former Assistant Secretary of State for DS Eric 
Boswell stated he never received any complaints about Clinton using her personal BlackBerry 


inside the SCIF. 


229 




Jfhis decision was relayed to Clinton's executive 


Blackberries in Mahogany Row,” dated March 6, 2009. Cli 
requested a secure BlackBerry while at State after hearing Pre 


U) 


i Tlic DS security detachment maintained a Posi. known as Posi 1 . lO' 
Clinton's office on Mahogany Row. 
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could not recall the reasons why State was unable to fulfill this request. dd2,> Early in Clinton 1 s 
tenure at State, Clinton' s executive staff also inquired about the possibility of the Secretary using 
an iPad to receive communications in her office; however, this request was also denied due to 
restrictions associated with the Secretary's office being in a SCIF 2,4 According to the State OIG 
report, in January 2009, in response to Clinton' s desire to take her BlackBerry into secure areas. 
Mills discussed with S/ES-IRM officials and with the State Under Secretary for Management, 
Patrick Kennedy, alternative solutions which would allow Clinton to check e-mail from her 
desk. 2 ' -1 Setting up an Internet -connected, stand-alone computer was discussed as a viable 
solution, however, a stand-alone system was never set up. 246 



£ g/^C/NF - ) Investigation determined Clinton had access to a number of State-authorized secure 
means of telephonic communication in her residences and in her office at State. cc 2 > l At the start 
of Clinton 1 s tenure, State installed a SCIF and secure communicatio ns equipment, 

In her residences in 

■rrft.2 


. 219 . 2411 . 241.242 


Washington. L).l ( Whitehav en residence) and Chappaqua. " ' ' According to 

Abedin, Cooper, ancj there were personally-owned desktop computers in the SCIFs in 

Whitehaven and Chappaqua 24 ' 244 24:> Conversely, Clinton stated to the FBI she did not have a 
computer of any kind in the SCIFs in her residences. 24(1 According to Abedin and Clinton, 
Clinton did not use a computer, and she primarily used her BlackBerry or iPad for checking e- 
mails. 
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C. (I / - H - )U 44) Individuals in Direct ( 'ommunication with C Union's Personal E-mail 
Address 


(U/ /POUO ) Investigation determined a limited number of individuals maintained direct e-mail 
contact with Clinton through her personal clintonemail.com e-mail account during her tenure at 
State. Thirteen individuals, consisting of State senior-level employees, work-related advisors, 
and State executive administrative staff, maintained direct e-mail contact with Clinton and 
individually e-mailed her between 100 and 1,000 times during her tenure. 11 Abedin, Mills, and 
Sullivan, were most frequently in e-mail contact with Clinton and accounted for 68 percent of the 
e-mails sent directly to Clinton. In addition to sending Clinton messages they wrote, Abedin, 
Mills, and Sullivan reviewed e-mails they received from other State employees, USG contacts, 
and foreign government contacts, and if deemed appropriate they then forwarded the information 


^^qOtVIv'H According lo Clinton, tier request for a State-issued secure BlackBcm was not out of concern for tlic sensitivity of 
the information on the dc\ ice she was using at the lime, rather she wanted LllC SSCUIC do ICC LP dCill With lLllUlt, CPttUlUICllCICS 

, 1 fSZOCfcB Accflgttua la Atocdiu. Clinton's Slate office contained 


" (C.-vTObW According lo AOcdriu me SC it- do or at lire wtntciiarcn rcsrdcncc was not always locked, and Abedin. Hanley, and 

1 had access lo the SCIF. | ^ 

Investigation determined lire Chappaqua SCIF was not always secured, and Abedin. Hanley, and I I liad 

routine access to the SCIF. 


1 vJ 

th jnc vyuriciijiN cn icsmcncc| 


Blatc installed commuiiicalions ccnriDmcnt , 
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the Chaima oita residence similar to that at the Whitehaven residence. State Finished installation of the SCIF in the Chappaqua 
residence in ~1 


" (1.777)1,0) The statistics in this paragraph arc based on the e-mails provided by Williams & Connolly as pan of Clinton's 
production to the FBI, excluding Clinton's personal correspondence with family and close friends, as well as e-mails Clinton 
forwarded to herself. 
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to Clinton. 247 ' 248 ' 249 Multiple State employees advised they considered e-mailing Abedin, Mills, 
and Sullivan the equivalent of e-mailing Clinton. 2>li ' 271 

(UZ /fOU Q ) Investigation identified hundreds of e-mails sent by Abedin and other State staff to 
presidentclinton.com e-mail address requesting him to print documents for Clinton. 


Some of these e-mails were determined to contain i nformation classified at the 
CONFIDENTIAL Ievel.-"' 252 ' 2 ^' 254 ' 25 *' 256 ' 2 * ! I received a security clearance at the SECRET 
level on October 25, 2007 from the Department of Defense (DOD). 2:>x Documentation retained 
by DOD and provided to the FBI did not indicate ;ecurity clearance was deactivated 


upon his retirement from the US Navy Reserves in September 2010. 


259 


I). (II EOUO) Clinton Staffs Use of Personal E-mail Accounts for Official Business 


]and Hanley, 


(UZ/F OU Q) Clinton's immediate staff, to include Mills, Sullivan, AbedinJ 
told the FBI in interviews that they predominantly used their State-provided OpenNet e-mail 
accounts to conduct official State business. 26 " 261 262 26, 264 Exceptions to this practice included 
instances when the State OpenNet e-mail system was down or when staff was traveling 
internationally and OpenNet was not readily accessible. 265 ' 266 ' 267,268 ' 269 The FBI's investigation 
confirmed that Clinton's immediate staff used their personal e-mail accounts in combination with 
their State-provided OpenNet e-mail accounts for official State business. kk 

E. (U E0V O) Clinton's Use of Persona! E-mail Accounts While Overseas 
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(UZ/F OU Q) FBI investigation and the State OIG report determined that State issued regular 
notices to staff during Clinton's tenure highlighting cybersecurity threats and advising that 
mobile devices must be configured to State security guidelines. 2 '"' 2,1 Clinton and her immediate 
staff were notified of foreign travel risks and were warned that digital threats began immediately 
upon landing in a foreign country, since connection of a mobile device to a local network 
provides opportunities for foreign adversaries to intercept voice and e-mail transmissions. 272 2,> 
The State Mobile Communications (MC) Team was responsible for establishing secure mobile 


voice and data communications for Clinton and her team when they were traveling 
and abroad 2,4 276 When the security climate reauired. the State MC was capable o: 

domestically 



could be received and viewed by Clinton and/or her designated start." '" 


(S//OC/NF) Investigation determined that of the e-mai s provi ded by Williams & Connolly as 
part of Clinton' s production to the FBI, approximately [ g-mails were sent or received by 
Clinton on her personal e-mail accounts while s he was traveling outside the continental United 
States (OCONUS) on official State business. 11 27! 


11 (LV/rOUO) Investigation identified six e-mail chains forwarded i q p ital were determined from Ihc Stale FOIA review to 

contain CONFIDENTIAL information. Five were forwarded bv Abedin. and one was from Clinton. 

kl ' (U) Sec Section 3.C for discussion of classified c-mails contained in Clinton's slaff s personal e-mail accounts. 

" (L7/FOU6) Slate listed Clinton's overseas travel b\ indiv idual da>s. but did not prov ide additional information such as arrival 
and departure times. As a result, the FBI could not determine specifically which c-mails were sent while she was on the ground 
OCONL'S versus in flight. 
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| hBl investigation determined that hundreds of e-mails 

classified CONFIDENTIAL during the S tate F OIA process were sent or received by Clinton 

while she was OCONUS. Approximately! le-ma ils were sent or received by Clintor 

| On | [ occasions while OCONUS, Clinton had direct 
e-mail contact with an e-mail addre ss for President Barac k Obama. Of thel le-mai ls between 
Clin ton an d President Obama J f ,vere sent and received f I None of 

thesq [-mails were determined to contain classified information. Clinton told the FBI that she 

received no particular guidance as to how she should use President Obama' s e-mail address , and 
the e-mails sent while Clinton was] |nm.27<) 


/•'. (II - EOU ti) Clinton's Production of E-mail in Response to EOIA and Other Requests 


(U//FOU0 - ) The House Select Committee on Benghazi was established on May 8, 2014 and 
reached an agreement with State on July 23, 2014 regarding the production of records 28li State 
sent a formal request to former Secretaries of State on October 28, 2014, asking them to produce 
e-mails related to their government work.’* 1 After State requested that Clinton provide her e- 
mails,'"’ Clinton asked her attorneys, David Kendall 00 and Mills, to oversee the process of 
providing Clinton' s work-related e-mails to State. 28 ’ Heather Samuelson, pp an attorney working 
with Mills, undertook a review to identify work-related e-mails, while Kendall and Mills 
oversaw the process. Ultimately, on December 5, 2014, Williams & Connolly provided 
approximately 55,000 pages of e-mails™ to State in response to State' s request for Clinton to 
produce all e-mail in her possession that constituted a federal record from her tenure as Secretary 
of State. 784 State ultimately reviewed the 55,000 pages of e-mail to meet its production 
obligations related to FOIA lawsuits and requests. On May 27, 2015, State received a court order 
to post Clinton' s e-mails to the State FOIA website on a monthly production schedule with a 
completion date of January 29, 2016. 78> State ultimately concluded its FOIA-related production 
on February 29, 2016. Clinton told the FBI that she directed her legal team to provide any work- 
related or arguably work-related e-mails to State, however she did not participate in the 
development of the specific process to be used or in discussions of the locations of where her e- 
mails might exist. 784 ’ Clinton was not consulted on specific e-mails in order to determine if they 

287 

were work-related 7 
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"" (U//FOtrO) During ilic summer of 2014. Stale indie, tied lo Mills a request for Clinton' s work-related e-mails would be 
forthcoming, and in October 2014. Slate followed up by sending an official request to Clinton asking for her work -related c- 
mails. 

00 (U) Kendall is a partner at Williams & Connolly. 

PI> (U) Saumclsou worked in the White House Liaison Office at State during Clinton's tenure and currently senes as Clinton's 
personal attorney. 

it (U/tf OUO ) According to Clinton' s campaign website. 30.490 potentially work-related e-mails were provided to State on 
December 5. 2014. On August 6. 2015. Williams & Connolly pro\ ided the FBI a PST file containing 50,542 e-mail related files, 
which included 30.524 e-mail messages. 
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(U/ /FOUO ) In July 201 4. to initiate the review of Clinton' s e-mails for production to State, Mills 


arranged for 


to export from the PRN Server all of Clinton' s e-mails sent to o r received 

from a .gov e-mail address during Clinton's tenure as Secretary of State. - ‘ " Once 

completed this export from the PRN Server, he remotely transferred a PST file containing the e- 
mails onto Mills's and Samuel so n s lantons v ia ScreenConnect. IT 291 2,2 2<)> In late September 
2014, Mills and Samuelson asked to provide a full export of all of Clinton' s e-mails 

from her tenure, to include e-mails sent to and received from non-.gov e-mail addresses. 294 - 29x2% 
Mills and Samuelson explained that this follow-up request was made to ens ure their review 

* i ii i . i „ • 2‘)7 .2 Vjl 1 i 


from what location on the server 


as the July 2014 request.” Mills and Samue 

son did not know 

(extracted Clinton's e-mails. 299-201. 

gave the 


server he extracted Clinton's e-mails, and FBI investigation and forensic an alysis have b een 
unable to specifically identify the location and composition of the repository ! l used to 

create the export of Clinton' s e-mails from her tenure 202-202 


(U//F QU Q) The FBI interviewed Samuelson on May 24, 2016 about her review of the PRN- 
provided e-mails. Samuelson indicated she conducted the review of these e-mails over the course 
of several months and completed it just prior to December 5, 2014, when hard copies of the 
work -related e-mails were turned over to State. ’" 4 Using her laptop to conduct the review, 
Samuelson placed any work-related e-mails into a folder that she had created in Microsoft 
Outlook. 205 Samuelson first added to this folder all e-mails sent to or from Clinton' s personal e- 
mail account with .gov and mil e-mail addresses Samuelson then searched the remaining e- 
mails for the names of State senior leadership, as well as any members of Congress, foreign 
leaders, or other official contacts. Finally, Samuelson conducted a key word search of terms 
such as “Afghanistan,” “Libya,” and “Benghazi.”" - 20tt Samuelson reviewed the “To,” “From,” 
and “Subject” fields of every e-mail during this review; however, she did not read the content of 
each individual e-mail, indicating that, in some instances, she made a determination as to 
whether it was one of Clinton' s work or personal e-mails by only reviewing the “To,” “From,” 
and “Subject” fields of the e-mail. 209 


(U//F OU O) As she completed the review, Samuelson printed all of the e-mails to be turned over 
to State using a printer in Mills' s office According to Samuelson, Mills and Kendall 
subsequently reviewed e-mails that Samuelson printed, and any hard copy of an e-mail Mills and 
Kendall deemed not to be work-related was shredded, and the digital copy of the e-mail was not 
included in the folder Samuelson created in Microsoft Outlook to contain all of the work-related 
e-mails. Mills stated that, other than instances where Samuelson requested Mills's guidance. 
Mills did not review the e-mails Samuelson identified as work -related, and once the review was 
complete, Samuelson printed the work-related e-mails. 212 After the review was completed, 
Samuelson created a PST file containing all of the work-related e-mails and ensured that all 
work -related e-mails were printed. >! 5 This .PST file was provided to Kendall on a USB thumb 

" (U) ScrccnConncct is a rcmolc support administration tool that allows technicians to remotely connect to customers via a 
central web application to control and v iew end users' machines. According to product specifications. ScrccnConncct encrypts 
data transmitted from one machine to another, to include screen data, file transfers, key strokes, and chat messages. 

“ (U//POUO) Mills did not recall if this second PST file was transferred to her computer. 

" (U/ /rOUO ) The FBI was unable to obtain a complete list of keywords or named officials searched from Samuelson. Mills, or 
Clinton' s other attorneys due to an assertion of priv ilege. 
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drive. ' 14 On August 6, 2015, this thumb drive was obtained by the FBI from Williams & 
Connolly via consent from Clinton. 
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G. (II TTTtltf) Deletion of E-mail Associated with Clinton's Personal E-mail Accounts 

(U/ /FQUO) According to Hanley, in spring 2013, Cooper assisted Hanley in creating an archive 
of Clinton 1 s e-mails. 41:1 Cooper provided Hanley with an Apple MacBook laptop (the Archive 
Laptop) 1 " 1 from the Clinton Foundation and telephonically walked Hanley through the process of 
remotely transferring Clinton 1 s e-mails from the Pagliano Server to the laptop and a thumb 
drive. ’ u> Hanley completed this task from her personal residence. The two copies of the 
Clinton e-mail archive (one on the Archive Laptop and one on the thumb drive) were intended to 
be stored in Clinton's Chappaqua and Whitehaven residences, however, Hanley explained this 
did not occur as Hanley forgot to provide the Archive Laptop and the thumb drive to Clinton' s 
staff following the creation of the archive. 4ltu, ° I n early 2014 , Hanley located the Archive 
Laptop at her personal residence and worked with | j o transfer the archive of Clinton 1 s 

e-mails to PRN. 120 ‘ 2I 12 1 After trying unsucce ssfully to rem otely trans fer the e-mails t o 

~1 Hanley shipped the Archive Laptop to| residence ir |n 

February 2014, anc j nigrated Cl inton's e-m ails from the Archive Laptop onto the PRN 

Server. 424,,25,m427 ^'' To accomplish this ] ra nsferred all of the Clin ton e-mail content 

to a personal Google e-mail (Gmail) address he created, |~ [h) urn ail, com . and 

then downloaded all of the e-mail content from the Gmail account to a mailbox named “HRC 
Archive" with the e-mail addr ess hrcarchive@clintonemail.com on the PRN Server. 420 440,4,1 

jadvised he used the | Rlumail.com e-mail account to facilitate the 


transfer because he had trouble exporting the e-mail from the Apple MacMail format to a format 
that would be compatible with Microsoft Exchange 1,2 

(U// FOU0) Hanley stated she recommended tha t PRN wine the Archive Laptop after the e-mails 


were transferred to the PRN Server. ’ ” However,) |told the FBI that, after the transfer 

was complete, he deleted the e-mails from the Arc hive Laptop but did not wipe the laptop." 1 


He 


kZmmail.com e-mail 


also advised he deleted the e-mails uploaded to the 

account per Hanley 1 s instructions a nd shinned the Arch ive Laptop via U nited States Posta 
Service or Unit ed Parcel S ervice tq 


time. 


335.336.33 


I I v v IU WI 

who was Clinton' 


]told the FBI that she never received the laptop fromf 


pt the 


however, she advised that Clinton' s staff was moving offices at the time, and it w ould have bee n 


easy for the package to get lost during the transition period 4,8 Neither Hanley nod 


could identify the current whereabouts of the Archive Laptop or thumb drive containing the 
archive, and the FBI does not have either item in its possession" 0 

(U //FOUO ) FBI investigation identified 940 e-mails associated with Clinton's personal e-mail 
ac count from October 25 2010 to December 3 1, 2010 that as of June 21 , 20 16 remained within 
the! bgmail.com account. ’ J " The FBI was able to determine that 56 of these 


"" (UAf&UO) According lo Abed in. ilic archive of Clinton's e-mails was crcaicd as a reference for ilic fninre production of a 
book. According to I ianlcy . the arcliivc of Clinton' s e-mails was created in tesponse to Clinton' s Iidr2 2 a climonciiKul.com 
address being released to the public following the online posting of e-mail exchanges between Clinton and an informal political 
advisor. Sidney Blumcnthal. Blumemlial' s personal e-mail account, which contained his e-mails with Clinton, was compromised 
on March 14. 2013 b\ a Romanian cvbcr hacker. Sec Section 4.D 


b6 

b7C 


b6 

b7C 


b6 

b7C 


Page 17 of 47 


R1 


HRC-17 


bl 

b3 

b7E 



SE< 


bl 

b3 

b7E 


RH 


e-mails have been identified as currently classified at the CONFIDENTIAL level through the 
Sta te FOIA nrnress 141 Ad ditionally the FBI determined that 302 of the 940 e-mails identified in 

the bumail.com account were not found in the set of e-mails Clinton 

produced to State in December 2014 ,4 “ Of the 302 e-mails, the FBI disseminated 1 8 to USG 
agencies for classification review. State determined one e-mail to be classified SECRET when 
sent and to be classified CONFIDENTIAL currently. State determined a second e-mail to be 
classified as CONFIDENTIAL when sent and to be currently UNCLASSIFIED 



unknown Clinton staff member told him s/he did not want the .PST file after the export and 
wanted it removed from the PRN Server/ 152 According to Mills, in December 2014, Clinton 
decided s he no longe r needed access to any of her e-mails older than 60 days. ° ‘ Therefore, Mills 
instructed! |to modify the e-mail retention poli cy on Clinto n's clintonemail.com e-mail 


account to reflect this change. 254 However, according tc£ 


he did not make these 
' 5 Clinton told the FBI that, 


changes to Clinton' s clintonemail.com account until March 2015. 
after her staff completed her e-mail production to State in December 2014, she was asked what 
she wanted to do with her remaining personal e-mails, Clinton instructed her staff she no longer 
needed the e-mails.’ 56 Clinton stated she never deleted, nor did she instruct anyone to delete, her 
e-mails to avoid complying with FOIA, State or FBI requests for information. 457 


(U/ /FOU6 ) On March 2, 2015, The New York Times (NYT) published an article titled, “Hillary 
Clinton Used Personal Email Account at State Dept., Possibly Breaking Rules.”"" ’ 48 This article 
identified publicly that Clinton exclusively used a personal e-mail account to conduct official 
State business while she was Secretary of State and had not produced her federal records to State 
until December 2014. ' 0<, On March 3, 2015, the United States House Select Committee on 
Benghazi provided a letter to Williams & Connolly requesting the preservation and production of 
all documents and media related to hdr22@clintonemail.com and hrcl 7@clintonemail.com . ""’ 60 
The following day, the House Select Committee on Benghazi issued a subpoena to Clinton to 
produce e-mails from hdr22@clintonemail com . hrodl7@clintonemail.com . and other e-mail 
addresses used by Clinton, pursuant to the events surrounding the 2012 terrorist attack in 
Benghazi.’ 61 


(U//F OUQ ) In the days following the publication of the NYT article. Mills requested that PRN 
conduct a com plete inven tory of all equipment related to the Pagliano Server. ’ 62 ’ 6 ’ In response 
to this request, g raveled to the Equinix daj acenter in Secaucus, New Jersey to conduct 

an onsite review of the equipment, whila 


also logged in to the server 


" (L) BlcachBii is open source software lliai allows users 10 "shred” files, clear Internet history- delete system and temporary 
files and wipe free space on a hard drive. Free space is ihc area of the hard drive that can contain data that has been deleted. 
BlcachBii* s "shred files" function claims 10 securely erase files b\ overwriting data io make the daia unrecoverable 
** (U) The same article was released on the NYT website on March 2. 20 15. The print version appeared on page A 1 the 
following day. March 3. 2015. 

“ (L ) The 1 louse Sclcci Committee on Benghazi submitted a preservation request for an accurate e-mail address. 

Iidr22 d clintoncmail.com . and an inaccurate e-mail address, lire 1 7 <v clintoncniail com. for Clinton. 
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364.S65.36fj 


remotely. 

additional data existed on any server equipment, as all data was migrated to the PRN 


powered on the Pagliano Server and confirmed for Mills that no 


Server. 


vv.. 367. 368 


(U//- EOU O) Investigation indicated that on March 25, 2015, P RN held a c onference call with 
President Clinton' s staff. 169 ’ 0 In his interviews with the FBlJ 


ndicated that sometime 

between March 25-31, 2015, he realized he did not make the e-mail retention policy changes to 
Clinton 1 s clintonemail.com e-mail a ccount that Mills had requested in December 2014. ’ 7I In his 
FBI interview on February 1 8, 201 b | [ indicated that he did not recall conduc ting 

deletions based upon this realization’" In a follow-up FBI interview on May 3, 201 6 ] 
indicated he believed he had an “oh shit” moment and sometime between March 25-31, 2015 
deleted the Clinton archive mailbox from the PRN server and used BleachBit la delete the 
exported PST files he had created on the server system containing Clinton' s e-mails. ,7 ’ 
Investigation found evidence of these deletions 1 74 and determined the Datto backups of the PRN 
Server were also manually deleted during this timeframe. 1 ' Investigation identified a PRN work 
ticket, which referenced a conferen ce call amo rm PRN, Kendall, and Mills on March 31, 


2015. ’ 6 ’ PRN' s attorney advised! 


based upon the assertion of the attorney-client privilege. 


not to comment on the conversation with Kendall 

378 


(U//FOUO ) Investigation identified a March 9, 2015 e-mail to PRN from Mills, of which 
was a recipient, r eferencing the preservation request from the Committee on 


Benghazi. " ] [ advised during his February 18, 2016 interview that he did not recall 

seeing the prese rvation req uest referenced in the March 9, 201 5 e-mail. 1X1 During his May 3, 
2016 interview, 


Jndicated that, at the time he made the deletions in March 2015, he 


was aware of the existence of the preservation req uest and the f act that it meant he should not 
disturb Clinton's e-mail data on the PRN Server. ’* f~ j dso stated during this interview, 

he did not receive guidance from other PRN personnel, PRN's legal counsel, or others re garding 


the meaning of the preservation request. 1X> Mills stated she was unaware that ] 
conducted these deletions and modifications in March 2015. ’ M Clinton stated she was a(so 
unaware of the March 2015 e-mail deletions by PRN. 1X5 


^}iad 

ilso 


3. (U //rQUO ) Results of FBI Review of Clinton E-mails Stored and Transmitted on 
Personal Server Systems 

A. (( / COUO) Quantities of Clinton's E-mails Recovered from Personal Server Systems 

(U//FOUO) To date, the FBI has recovered from additional data sources and reviewed 
approximately 1 7,448 unique work-related and personal e-mails" from Clinton' s tenure 
containing Clinton' s hdr22@clintonemail com ,llU e-mail address that were not provided by 
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“ (LV/P OUO ) FBI forcnsically identified deletions from iltc PRN Server on March 8. 2015 of PST files not associated w ith 
Clinton's e-mail account or domain, and other server data. 

" (L'WOtiO) These approximately 1 7.448 e-mails were determined to be unique from the e-mails provided by Williams & 
Comiolly as part of Clinton' s production to the FBI. through a distinctive Internet Message ID. These files do not include 
documents or partial e-mail fiics without an Internet Message ID itulic metadata. 

jaj ( U/>TOK'Oi The approximate 1 7.448 e-mails may contain chains of e-mails in which Clinton is not on the most recent "To.” 
"From,” "CC,” or' BCC” line. 


Page 19 of 47 


HRC-19 


bl 

b3 

b7E 




bl 
b3 
b7E 

Williams & Connolly as part of Clinton' s production to the FBI, including e-mails from January 
23, 2009 through March 18, 2009. bbb 

B. (11 /•'(){ 10) Classification Portion Markings in E-mail Recovered from Personal Server 
Systems 

(U//FOUO) The FBI identified three e-mail chains, encompassing eight individual e-mail 
exchanges to or from Clinton 1 s personal e-mail accounts, which contained at least one paragraph 
marked “(C),” a marking ostensibly indicating the presence of information classified at the 
CONFIDENTIAL level. ' ,8<UX7 '™ 8 The emails contained no additional markmgSj such as a header 
or footer, indicating that they were classified. State confirmed through the FOIA review process 
that one of these three e-mail chains contains information which is currently classified at the 
CONFIDENTIAL level. ccc ' ,K<) State determined that the other two e-mail chains are currently 
UNCLASSIFIED T'' 0 ™ 1 State did not provide a determination as to whether any of these three e- 
mails were classified at the time they were sent. 

(U/7TOUO) When asked about the e-mail chain containing “(C)” portion markings that State 
determined to currently contain CONFIDENTIAL information, Clinton stated she did not know 
what the “(C)” meant at the beginning of the paragraphs and speculated it was referencing 
paragraphs marked in alphabetical order. ddd ,,;2 Clinton identified a “CONFIDENTIAL” header 
and footer (inserted in the document by the FBI prior to the interview) and asked if the “(C)” 
related to the “CONFIDENTIAL” header and footer w Clinton did not believe the content of the 
e-mail was classified and questioned the classification determination. When asked of her 
knowledge regarding TOP SECRET, SECRET, and CONFIDENTIAL classification levels of 
USG information, Clinton responded that she did not pay attention to the “level” of classification 
and took all classified information seriously. 

( (11-COVtJ) ( ' lassifed Information Found in Clinton's E-mails on Personal Server 
Systems 

(U// TOU O ) FBI and USIC classification reviews identified 81 e-mail chains containing 
approximately 193 individual e-mail exchanges ccc that were classified from the 
CONFIDENTIAL to TOP SECRET levels at the time the e-mails were drafted on 
UNCLASSIFIED systems and sent to or from Clinton's personal server. Of the 81 e-mail chains 
classified at the time of transmittal, 68 remain classified. Twelve of the e-mail chains, classified 


( U//rOUO) According lo Climou 1 s campaign website. Climon only pro\ ided Stale her work-related c-tnails dated after March 
18. 2(109. E-mails from January 21. 2009 to March 18. 2009 were not produced to Stale or the FBI by Williams & Connolly . 
According to Sanmclson and Mills, they were unable to locate Clinton's e-mails from this period. The e-mails from this time 
period were not provided to them by PRN. and they believed the e-mails were not backed up on any server. Inv estigation 
determined some of Clinton's c-mails from January 23. 2009 to March 17. 2009 were captured through a Datto backup on June 
29. 2013. 1 lowcver. the e-mails obtained ate likely only a subset of the c-mails sent or received by Clinton during this time 
period. 

(U//F0UO) The three e-mail chains containing the portion mark of "(C)” arc not considered as pan of the group of c-mails 
classified through the FBI classification review because State has not responded to the FBI request for classification 
determinations for these c-mails. 

l]Jd (TJ/i fOt r Q ) Earlier in her FBI interv iew, when asked w hat the classification marking "(SBU) meant. Clinton concctly slated 
Sensitive But Unclassified 

c “ ( U/ iFObO) Due to the limited insight into other USG and persona) e-mail accounts, the investigation was unable to determine 
if e-mails from the classified e-mail chains were forwarded to other USG or per sonal e-mail addresses. 
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by State as SECRET or CONFIDENTIAL, were not among the approximately 30,000 e-mails 
provided to State and the FBI by Williams & Connolly. In addition to State classified equities, 
the investigation determined the 81 e-mail chains contained classified equities from 5 other 
USIC agencies: the CIA, DOD, FBI, National Geospatial-Intelligence Agency (NGA), and 
National Security Agency (NSA). 



(S/ /OC/NF ) The 81 classified e-mail chains contained 8 e-mail chains classified TOP SECRET, 
37 e-mail chains classified SECRET, and 36 e-mail chains classified CONFIDENTIAL at the 
time they were sent. Of these e-mail chains, 7 e-mail chains contained information associated 
with a Special Access Program (SAP) and 3 e-mail chains contained Sensitive Compartmented 
Information (SCI). f,r Of the 81 classified e-mail chains, 36 e-mail chains were determined to be 
Not-Releasable to Foreign G overnments (NOFORN) and 2 were considered releasable onl y to 
Five Allied partners (FVEY).| 1 


Sixteen of the e-mail chains, classified at the time the e-mails were sent, were downgraded in 
current classification by USIC agencies. 



bl 

b3 



(U//F OU Q) The State FOIA process identified 2,093 e-mails currently classified as 
CONFIDENTIAL or SECRET. Of these e-mails, FBI investigation identified approximately 100 
e-mails that overlapped with the 193 e-mails (80 e-mail chains) determined through the FBI 


) One of llic TOP SECRET/SCI e-mails was downgraded to a currcm classificaiiou of SECRET//REL TO USA. 


FVEY by the owning agency during a FOIA-rclatcd rev iew. 


SE 


Page 21 of 47 


RN 


HRC-21 


bl 

b3 

b7E 




bl 

b3 

b7E 



classification review to be classified at the time sent. All except one of the remaining 2,093 e- 
mails were determined by the State FOIA process to be CONFIDENTIAL, with one e-mail 
determined to be SECRET at the time of the FOIA review. ess-hhb State did not provide a 
determination as to whether the 2,093 e-mails were classified at the time they were sent. 


(U/ /FOUO ) The FBI investigation determined Clinton contributed to discussions in four e-mail 
chains classified as CONFIDENTIAL, three e-mail chains classified as SECRET//NOFORN, 
and four e-mail chains classified as TOP SECRET/SAP Inv estigatio n identified 67 instances 

where Clinton forwarded e-mails to either State personnel oi for printing that were 

identified as classified CONFIDENTIAL or SECRET through either the State FOIA process or 
FBI classification determination requests. 


(U//F OUQ ) FBI investigation determined at least 32 classified e-mail chains transited both the 
p ersonal e -mail account of Clinton and the personal e-mail accounts of Abedin, Mills, Sullivan, 
o j I " 1 One of these e-mails was TOP SECRET/SCI at the time of transmission, and is 

currently considered SECRET//REL TO USA, FVEY, five were classified as 
SECRET//NOFORN and one as SECRET both when sent and currently; two were classified 
SECRET when sent and are CONFIDENTIAL currently; one was classified as SECRET when 
sent and is UNCLASSIFIED//FOUO currently; 16 were classified CONFIDENTIAL both when 
sent and currently, five were CONFIDENTIAL when sent and UNCLASSIFIED//FOUO 
currently; and one was CONFIDENTIAL when sent and UNCLASSIFIED currently.-*'' 
Investigation determined at least 80 e-mails from the 2,093 e-mails deemed classified through 
the State FOIA process were sent to or from the personal accounts of Abedin, Mills, Sullivan, or 


It 


D. (I / Witness Statements Related to Classified E-mails Found on Clinton's 

Persona! Server Systems 


(U//F OU Q) The FBI interviewed multiple officials who authored and/or contributed to e-mails, 
the content of which has since been determined to contain classified 

information™ 1 ™" m-tru.mmm-inK USG employees resp onsible for initiating 
classified e-mail chains included State Civil Service employees. Foreign Service employees. 
Senior Executive Service employees. Presidential appointees, and non-State elected officials. 

(U// TOUQ ) During FBI interviews, the authors of these e-mails provided context surrounding 
the e-mails in question as well as reasons for sending the e-mails on unclassified systems. 


b6 
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(L7/TOU0) Investigation determined lire following t\ pcs of e-mails were not included in the lisl of 2.093 e-mails classified 
tlirough the Stale FOIA review: TS/SAP e-mails: e-mails not produced to Stale by Williams & Connolly: formerly classified c- 
mails now considered UNCLASSIFIED: and classified e-mails improper!) released during FOIA production. 

1,11,1 (L7 /FOUQ) Two attachments labeled as SECRET through Slate FOIA process were not tracked as separate classified 
documents in the FBI's classification review. 

(LV/rOUO) Due to the limited insight into other USG and personal e-mail accounts. FBI investigation was unable to determine 
if c-mails from classified e-mail chains were forwarded lo other personal e-mail accounts. 

111 (U7/FOUO) In addition lo Ihe personal accounts of Abedin. Mills. Sullivan, an q | sc\ cn classified e-mail chains w ere L6 

initially drafted in or sent from the private e-mail accounts of fin c non- Siatc indi viduals, to include Kerry and Blumcnthal. b7C 

kU (U/ /FOUO ) Personal e-mail accounts of Abedin. Mills. Sullivan, an d [ appeared in the "To." "From.” or "CC" line of 
the e-mail. Investigation was not able to determine if additional personal accounts were blind cat bon copied (“BCC”). 
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Individuals who worked in the State Bureau of Public Affairs 111 often accessed classified 
information to understand the context of unclassified information that was to be disseminated 
publicly. 409 The Public Affairs officials primarily relied upon reporting from country desk 
officers to generate talking points and believed the country desk officers were experienced in 
protecting sensitive information within their reporting 41,1 The Public Affairs officials were also 
responsible for notifying State leadership of impending reports by the news media regarding 
sensitive or controversial topics. 411 Furthermore, a former DOD official explained that he sent an 
e-mail, since deemed to contain classified information, in order to quickly coordinate public 
affairs responses by State and DOD with respect to a specific incident referenced in the e- 
mail. 412 


(U//FOUO) Individuals, including those in the State Operations Center (Ops Center)," 111 ' 11 ' who 
were responsible for passing information to high-level State officials, worked to identify and 
disseminate the information they deemed critical for review by State leadership. 414 414 These 
individuals noted that such information was generally sent on State unclassified e-mail systems 
because of the need to quickly elevate information at times when the intended recipients did not 
all have immediate access to classified e-mail accounts. 1 " 1 "' 414 416 


(U/ / P 0U0) Investigation identified seven e-mail chains comprised of 22 e-mails on Clinton's 
server classified by the USIC as TOP SECRET/SAP. State Department officials, both in 
Washington, D.C. and overseas, were briefed into the SAP and communicated both internally 
and with other USIC officials about the program. 41 7- 41 8-41 9 420 Only internal State e-mails 
regarding the SAP were forwarded- to Clinton, all of which were sent to Clinton' s server by 
Sullivan. Clinton and Sullivan engaged in discussions regarding the SAP in four of the seven e- 
mail chains. - 


(S//0€ffifl Dnrini’ FRHniJ-.rkir.ws State employees explained the context for why classified 


material 


was sent and provided reasons to explain why 
believe information in the e-mails was classified. 421 422 - 12 ' 42 j 
| stated thaC 


ey did not 


r- 1 


[stated the right method of communication was whichever method allowed for 


the fastest possible dissemination of the message. ' He also stated that information he received 
from other USG agencies was “technically probably classified” but that “you can' t do business 
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111 (U7/F QUQ ) According io Stale' s websilc. ilic Bureau of Public Affairs "engages domestic and international media lo 
communicate timely and accurate information with lire goal of furthering US foreign policy and national security interests as well 
as broadening understanding of American values.” 

(L7/TOUO) The Ops Center is staffed 24 hours a day and constantly monitors repotting from State cables, other USG 
agencies, and open source news outlets for information of interest to State leadership. 

""" (U7 /F O bO ) Individuals who inputted classified information into e-mail chains to pass to high-level Slate officials indicated 
that at times they were relying on information that others had summarized and provided to them. 
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that way .” 429 When interviewed by the FBI, authors of the e-mails stated that they used their 
best judgment in drafting the messages and that it was common practice at State to carefully, 
word e-m ails on UNCLASSIFIED netwo rks so as to a void sensitive details or “ta lk around’ 
[classified information Isfated the Information in the 


ai 


]former|_ 




Referenced news articles claiming e-mails on 


declined to comment on the e-mails. 

Clinton 1 s server were over-classified, but after seeing the e-mails during the interview, stated he 
“now understood why people were concerned about this matter.” 446 Sullivan indicated he had no 
reason to believe any State employee ever intentionally mishandled classified information. 44 ' 
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(S/ / Q C/NF ) The FBI interviewed four USIC executives stationed both in the United States and 

overseas ] " "" "T 4 ™ 440 441 The USIC 

executives reviewed the l l e-mail chains which transited Clinton' s personal e-m ail account 
and assessed that some of the e-mail chains should be considered classified 442 - 444 - 44 -] I 


interviewed $aid jflmj P.f.tEC 


T However] two of the USIC executive s" 


(S//OC/ NF) A majority of the USIC executives interviewed expressed concerns with how State 
handled l ~^ h9.45h.4m According to a ^ ISIC e.xmnive who Ij a j been stationed overseas | 

State employees were aware of the sensitivities 
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(U/ /FOUO) On April 9, 2016, Mills, who served as Chief of Staff to Clinton at State between 
2009 and 2013, was interviewed by the FBI. During this interview, Mills was provided seven e- 
mails which contained information later determined to be classified. While Mills did not 
specifically remember any of the e-mails, she stated that there was nothing in them that 
concerned her regarding their transmission on an unclassified e-mail system. 411 Mills also stated 
that she was not concerned about her decision to forward certain of these e-mails to Clinton. 456 
In reviewing e-mails related to the SAP referenced above. Mills explained that some of the e- 
mails were designed to inform State officials of media reports concerning the subject matter and 
that the information in the e-mails merely confirmed what the public already knew. 4 ' 1 ' 

(U// FQUQ ) The FBI interviewed Sullivan on February 27, 2016. Sullivan, who between 2009 
and 2013 served at State first as the Deputy Chief of Staff for Policy and then as the Director of 
Policy Planning, communicated extensively with Clinton by e-mail. Their communications 
included both e-mails written by Sullivan and e-mails written by others that Sullivan forwarded 
to Clinton. During the interview, the FBI asked Sullivan to review approximately 14 e-mails 
Sullivan sent or received on unclassified systems that were later determined to contain classified 
information up to the TOP SECRET/SAP level. Sullivan did not specifically recall the e-mails, 
aside from recognizing some of them from the materials released pursuant to FOIA litigation, but 
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provided reasons why the e-mails may have been sent by him or others on unclassified 
systems. 45 * With respect to the SAP, Sullivan stated that it was discussed on unclassified systems 
due to the operational tempo at that time, and State employees attempted to talk around classified 
information. 45 ' 4 Sullivan also indicated that, for some of the e-mails, information about the 
incidents described therein may have already appeared in news reports. 46 " Furthermore, Sullivan 
stated that his colleagues at State worked hard while under pressure and used their best judgment 
to accomplish their mission 461 When forwarding e-mails, Sullivan relied on the judgment of the 
individuals who sent the e-mails to him to ensure that the e-mails did not contain classified 
information. 462 Sullivan did not recall any instances in which he felt uneasy about information 
conveyed on unclassified systems, nor any instances in which others expressed concerns about 
the handling of classified information at State. 000 ' 46 ' 
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(S//OC/NF) Sullivan was also asked about an e-mail exchange between him and Clinton in 
which, on the morning of June 17, 201 1, Clinton asked Sullivan to check on the status of talking 
points she was supposed to have received. 464 Sullivan responded that the secure fax was 
malfunctioning but was in the process of being fixed. Clinton instructed Sullivan that if the 
secure fax could not be fixed, he should “turn [the talking points] into nonpaper [with] no 
identifying heading and send nonsecure.” 46> State uses the term “non-paper” to refer to a 
document which is authorized for distribution to a foreign government without explicit 
attribution to the U.S. government and without classified information. Sullivan did not recall 
this specific e-mail but believed that Clinton's request indicated that she would have wanted him 
to make an unclassifie d version of the document summarize the contents and then send it to her 
on a non-secure fax, i 


(U//P OUQ - ) On April 5, 2016, Abedin, who served as Deputy Chief of Staff to Clinton at State 
between 2009 and 2013, was interviewed by the FBI. When asked about an e-mail subsequently 
determined to contain CONFIDENTIAL information, Abedin noted that she had only conveyed 
the information from the e-mail and had not originated it. 4 " She also stated that she relied upon 
the sender to properly mark the e-mail for classification purposes and did not take it upon herself 
to question the sender' s judgment as to such marking. ppp 4,1 

(U //TOUO ) Investigation determined Sidney Blumenthal, a former political aide to President 
Clinton and an informal political advisor to Clinton during her tenure at State, had direct e-mail 
contact with Clinton during her tenure at State. FBI investigation identified at least 1 79 e- 


000 (L7/rOUO) Abedin and Mills also provided similar responses when asked about Slate security practices regarding classified 
information. 

ppp (U/jTOUO) Although Abedin was a party to e-mails containing information that has since been determined to be classified, 
due to the nature of her position ai Stale. Abedin was not regular!) included in the e-mail chains (discussed in this section of the 
memorandum) about w hich Sullivan and Mills were questioned. Abedin' s position at Stale did not consistently involve tier 
participation in substantive policy decisions, and she was not a regular user of classified e-mail sy stems. 
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mails qqq that Blumenthal sent to Clinton containing information in memorandum format. The 
State FOIA process identified 24 memos from Blumenthal that contained information currently 
classified as CONFIDENTIAL and one as SECRET both when sent and currently. 4 ' 3 ' 4 ' 1 The FBI 
interviewed Blumenthal on January 7, 2016. According to Blumenthal, the content of the 
memos, which addressed topics to include Benghazi and foreign political developments, was 
provided to him from a number of different sources to include former USIC employees and 
contacts, as well as contacts within foreign 

governments. The memos contained a notation of 

“CONFIDENTIAL” 111 and then often included a source summary statement sss similar to those 
frequently found in USIC intelligence products. Blumenthal indicated he was not tasked 

to provide this information to Clinton; rather, he provided it because he deemed the information 
helpful, which Clinton occasionally acknowledged via e-mail. 4,1 Clinton often forwarded the 
memos to Sullivan asking him to remove information identifying Blumenthal as the originator 
and to pass the information to other State employees to solicit their input. 492,491 According to e- 
mails between Clinton and Sullivan, Clinton discussed passing the information to the White 
House, other USG agencies, and foreign governments '” 494 49q 


1C. (U Id) CO) C/in/on's Statements Related to Classified E-mails bound on Her Persona! 
Server Systems 


(S//OCYNF) On July 2, 2016, the FBI interviewed Clinton. Clinton was aware she was an 
Original Classification Authority (OCA) at State, however, she could not recall how often she 
used this authority nor could she recall any training or guidance provided by State. 499 Clinton 
could not give an example of how the classification of a document was determined; rather she 
stated there was a process in place at State before her tenure, and she relied on career foreign 
service professionals to appropriately mark and handle cla ssified information. 49 ' C linton 
believed information should be classified when it relates tc | | the use of 

sensitive sources, or sensitive deliberations. 49S When asked whether she believed information 
should be classified if its unauthorized release would cause damage to national security, Clinton 
responded “yes, that is the understanding.” 499 

UJ (X/OC /Nf) Clinton did not recall receiving any e-mails she thought should not have been on an 
unclassified system. 300 She relied on State officials to use their judgment when e-mailing her and 
could not recall anyone raising concerns with her regarding the sensitivity of the information she 
received at her e-mail address 5111 The FBI provided Clinton with copies of her classified e-mails 
ranging from CONFIDENTIAL to TOP SECRET/SAP and Clinton said she did not believe the 
e-mails contained classified information/ 0 " Upon reviewing an e-mail classified 
SECRET//NOFORN dated December 27, 2011, Clinton stated no policy or practice existed 


bl 

b3 


<ln ' 1 (U7/FOUO) The FBI obtained 177 of Blunicnlha]' s memos from the e-mails provided by Williams & Connolly as part of 
Clinton's production 10 the FBI. The FBI recovered two additional memos during the investigation from BlackBcm backups 
provided by Cooper. Slate did not pros idc a classification determination on those additional memos. 
nr (U/ ffQfcQ) According to Blumenthal. "CONFIDENTIAL " meant the memo was personal in nature and did not refer to 
classified USG information. 

555 (U 7/1TQUQ) According to Blumenthal. the individual who pro\ ided the content for a number of the memos authored the source 
summary statements (caveats provided regarding the source of information) in the memos. 

(U7/TOU0) Investigation was unable to determine if any of Blumcmhal's memos were forwarded to the White 1 louse, or to 
other USG agencies and foreign governments, as Sullivan's OpcnNci sent items were not present in the data provided by State to 
the FBI. 
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related to communicating around holidays, and it was often necessary to communicate in code or 
do the best you could to convey the information considering the e-mail system you were 
using. Mn In reference to the same e-mail, Clinton believed if the foreign press was to obtain 
information from that e-mail, it would not cause damage to the US Government MU When asked, 
Clinton recalled being briefed on SAP information but could not recall any specific briefing on 
how to handle SAP information. 505 Clinton stated she knew SAP information was of great 
importance and needed to be handled carefully. 506 

/•'. (11 EOUO) Gaps in Clinton E-mail Recovered from Personal Server Systems 

(U//FOU0) There were no e-mails provided by Williams & Connolly to State or the FBI dated 
from January 21, 2009 to March 18,2009. FBI investigation identified an additional 18 days 
where Clinton did not provide State any responsive e-mail. FBI investigation determined 14 of 
the 18 days where Clinton did hot provide State any responsive e-mail correspond with e-mail 
outages affecting Clinton’ s personal server systems as a result of both Hurricane Irene 1 " 1 " and 
Hurricane Sandy”' FBI investigation indicated other explanations for gaps in Clinton 1 s e-mail 
production could include user deletion prior to PRN’ s transfer of Clinton 1 s e-mails for review, or 
flaws in the archiving and sorting process used to generate the responsive production to State. 

4. (U//FEWO) Results of the FBI Investigation and Analysis of Cyber Intrusion Potential 

A. (U COt ft)) Cyber Analysis of ( 'Union’s Personal Server Systems 

(U//POUG) FBI investigation and forensic analysis did not find evidence confirming that 
Clinton 1 s e-mail server systems were compromised by cyber means. The FBI’ s inability to 
recover all server equipment and the lack of complete server log data for the relevant time period 
limited the FBI' s forensic analysis of the server systems. As a result, FBI cyber analysis relied, 
in large part, on witness statements, e-mail correspondence, and related forensic content found 
on other devices to understand the setup, maintenance, administration, and security of the server 
systems. 

(U//F0U9-) Investigation determined Clinton's clintonemail com e-mail traffic was potentially 
vulnerable to compromise when she first began using her personal account in January 2009. It 
was not until late March 2009, when the Pagliano Server was set up and an SSL certificate""" 
was acquired for the clintonemail com domain — providing encryption of login credentials, but 
not e-mail content stored on the server — that access to the server was afforded an added layer of 
security. 50 ' '' 08 The certificate was valid until September 13, 2013, at which time PRN obtained a 
new certificate valid until September 13, 201 8. 50 


(U/ /FOUO ) During his December 22, 20 1 5 FBI intervi ew. Pauli ano recalled a conversation with 


"lat the beginning of Clinton 1 s tenure, in whiclj 


advised he would not be 
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""" (U/ /rOUO ) The firsi of two cMcudcd outages occurred from August 28 io 30. 201 1 (3 days) as a result of Hurricane Irene. 

(L7/F0fcr©) The second extended outage occurred from October 30. 20 12 lo November 9. 20 12 ( 1 1 days) as a result of 
1 lurricanc Sandy . 

**“ (L7 /FOfeQ ) According to FBI forensic analysis, there was no SSL certificate on tire Pagliano Server between March 19. 
2009. when the mail service was operational, and March 29 or 30. 2009. when the SSL ccitificatc was installed on the server. 
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surprised i f classified information was being transmitted to Clinton' s personal server. 510 

further recommended that e-mail transiting from a state.gov account to the server 
should be sent through a Transport Layer Security (TLS) XXX tunnel/" Pagliano advised that the 
transition to TLS never occurred. :>ll ' ; ’ 12 The FBI was unableto forensically determine if TLS was 
implemented on the Pagliano Server. 


When asked about the maintenance and security of the server system he 
administered, Pagliano stated there were no security breaches, but he was aware there were many 
failed login attempts, which he referred to as brute force attacks. He added that the failed 
attempts increased over the life of the Pagliano Server, and he set up the server 1 s logs to alert 
Cooper when they occurred/ 14 Pagliano knew the attempts were potential attackers because the 
credentials attempting to log in did not match legitimate users on the system 3 15 Pagliano could 
not recall if a high volume of failed login attempts emanated from any specific country/ 16 


(U//FOU0) In an attempt to thwart potential attacks, Pagliano set up Internet Protocol (TP) 
filtering‘'''''' 1 on the firewall and tried to review the firewall log files o nce a month/ 1 Afterthe 

Pagliano Server was established, Cooper put Pagliano in contact with a United 

States Secret Service (USSS) agent, who recommended Pagliano also perform outbound filtering 
of e-mail traffic. 518 Pagliano further considered, but ultimately did not implement, a Virtual 
Private Network (VPN) bbbb or two-factor authentication cccc to better secure administrative acpess 
to the server system by him and Cooper/* 19 The FBI forensically determined that Remote 
Desktop Protocol (RDP) dddd was enabled on the Pagliano Server and was used by Pagliano, 
Cooper, and later PRN, for remote administration of the server. 520 While the availability of RDP' 


b6 
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" s (U) TLS is a pioiocol lhal ensures privacy betw een communicating applications, such as w eb browsing, e-mail, turd instant- 
messaging. with their users on ilic Internet. TLS ensures that no third-party eavesdrops on the two-way communication. TLS is 
l he successor to SSL and is considered more secure. 

(U) According to the Stale 01G report. Stale policy (12 FAM 544.3) stipulates normal day-to-day operations must be 
conducted on an authorized system. In the absence of a dev ice. such as a State OpcnNct terminal, employees can send most 
Sensitive Bui Unclassified (SBU) information unencrypted v ia the Internet only when necessary . with the knowledge lhal the 
nature of the transmission lends itself to unauthorized access, how ev er remote that chance might be. Furthermore, in August 
2008. 12 FAM 682.2-5 was amended and mandated lhal SBU information on non-Dcpailnicnl -owned syslcnrs at non- 
Dcpartmcntal facilities liad to meet certain criteria. Employees had to: I) ensure that SBU information was encrypted: 2) destroy 
SBU information on their personally ow ned and managed computcis and removable media w hen the files arc no longer icqttircd: 
and 3) implement encryption certified by the National Institute of Science and Technology (NIST), among other things. Although 
12 FAM 682.2-5 was further amended in 2(11)9. 2011. 2014. and 2015. the basic requirements did not change. 

(U) A bnilc force attack is a trial-and-crror method used to obtain information, such as a password or personal identification 
number (PIN). In a bmte force attack, passw oids may be attempted manually or automated software can be used to generate a 
large number of consccutiv c guesses as to the targeted information. 

aaaa ( jjj jp fj]( cr j n g j s || lc practice of identify ing and manually blocking IP addresses based on the identification of patterns that 
arc indicative of a potential attack. 

bW,b (U) VPN is a priv ate netw ork that nuts on top of a larger netw ork to prov idc access to slutted nctw ork resources, which may 
or may not include the physical hard drives of indiv idual computcis. as in the ease of Remote Desktop Pioiocol (RDP). VPN 
offers an additional layer of security by encrypting the data traveling to the private network before sending it over the Internet. 
Data is then decrypted when it reaches the private network. 

”” (U) Two-factor authentication is a method of confirming a used s claimed identity by utilizing a combination of two different 
components, often something the user know s and something the user has — such as a RSA key fob/token. 

(U) RDP is a proprietary protocol dev eloped by Microsoft that allow s a user to remotely connect to another computer over a 
network connection to view the computer and control it remotely . RDP is implemented in every version of Windows starting with 
Windows XP. 
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on a server is convenient for remote access, the FBI is aware of known vulnerabilities”^ 
associated with the protocol. 


(U //FOUO 


r “ Z4 Pagliano recalled finding “a 

virus,” but could provide no additional details, other than it was nothing of great concern. 32 ' 1 FBI 
examination of the Pagliano Server and available server backups did not reveal any indications 
of malware. 32 " 


(U//FOUO) On January 9, 2011, Cooper sent Abedin an e-mail stating someone was attempting 
to “hack” the server, prompting him to shut it down. 32 Cooper sent Abedin another e-mail later 
the same day stating he had to reboot the server again. 32X The FBI' s investigation did not identify 
successful malicious login activity associated with this incident. 32 '' 


(U//FOU0) The FBI's review of available Internet Information Services (IIS) web logs showed 
scanning attempts from external IP addresses over the course of Pagliano' s administration of the 
server, though only one appears to have resulted in a successful compromise of an e-mail 
account on the server. 3 '" Forensic analysis noted that on January 5, 2013, three IP addresses 
matching known Tor nfl exit nodes were observed accessing a user e-m ail account on the 
Pagliano Server believed to belong to President Clinton sta ffer ! 




FBI 


and browsed e-mail 
stated to the FBI she is 


investigation indicated the Tor user logged in tcj [e-mail accoun 

folders and attachments. 3 ’ 1,3 ' 2 When asked during her interview] 

not familiar with nor has she ever used Tor software 3 ” FBI inv estigation to date was unable to 
identify the actor(s) responsible for this login or hov£ 
compromised. 5 ' 4 


ogin credentials were 


(U//TOU0-) Forensic analysis of alert e-mail records automatically generated by CloudJacket 
revealed multiple instances of potential malicious actors attempting to exploit vulnerabilities on 
the PRN Server. FBI determined none of the activity, however, was successful against the 
server. 3 ' 3 


(U//FOU0) Following the March 3, 2015 New York limes article publicly revealing Clinton's 
use of personal e-mail to conduct government business, 3 '" the FBI identified an increased 
number of login attempts to the PRN Server and its associated domain controller. 33 ' Forensic 
analysis revealed none of the login attempts were successful. FBI investigation also identified an 
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1C1V (L ) Older versions of RDP had a vulnerability in lire utciitod used to cnciypt RDP sessions. While security patches, if applied, 
have remedied these vulnerabilities, exposing RDP to direct connections could allow remote attackers the opportunity to guess 
login credentials. 

1111 (U) Tor is free software allowing end users to direct their Internet traffic through a group of v olunteer-operated serv ers around 
the world in order to conceal their location and Internet usage. 

s “" s (U) A domain controller is a Microsoft server that responds to security authentication requests (logins, checking permissions, 
etc.) within a Windows domain. 
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increase in unauthorized login attempts into the Apple iCloud llW,h account likely associated with 
Clinton' s e-mail address"" during this time period. Investigation determined all potentially 
suspicious Apple iCloud login attempts were unsuccessful. > ’ h Additionally, PRN made various 
network changes to the PRN Server around March 7, 201 5, to include disabling the server' s 
public-facing VPN page and switching from SSL protocol to TLS to increase security. 3 ' 0 Staff 
also discussed the possibility of conducting penetration testing 1111 against the PRN Server to 
highlight vulnerabilities in the network. 34 " The FBI interviewed an employee of the company 
with which PRN had discussed the issue. The employee stated that the topic was broached but 
that penetration testing against the PRN Server, ultimately, did not happen. 341 


B. (II EOi/O ) Cyber Analysis of ( 'Union's Mobile Devices 


(U//FOUO) The FBI does not have in its possession any of Clinton 1 s 13 mobile devices which 
potentially were used to send e-mails using Clinton’ s clintonemail.com e-mail addresses. As a 
result, the FBI could not make a determination as to whether any of the devices were subject to 
compromise. Similarly, the FBI does not have in its possession two of the five iPad devices 
which potentially were used by Clinton to send and receive e-mails during her tenure. 342 ' 34 ’' 344 345 
The FBI forensically examined two of the three iPads kkkk it obtained and found no evidence of 
cyber intrusion. 346 

C. (U ' / ' Of 10) ( ' yber Targeting of( '/inton's Personal E-mail and Associated Accounts 

(S///0€¥MF) Investigation identified multiple occurrences of phishing an d/or spear-phishinu e- 

mails sent to Clinton 1 s account during her tenure as Secretary of State. 34 1 _ 


(S/ /OC/Nr ) Clinton recei ved another phishin g e-mail, purportedly sent from the personal e-mail 
account of a State official J I The e-mai l contained a potentially malicious 

link. 332 Clinton replied to the e-mail |stating, “Is this really from you? I was 

worried about openin g it!’ 

In a separate incident 


,55.ir 


Abedin sent an e-mail td 


indicating Clinton was 
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1,1,1,11 <L7/POl?0) Apple iCloud is a cloud storage medium available to users of Apple products. Clinton is known to have used 
Apple iPads during the course of her tenure, and Udr22 a cliiiioncnrail.com w as likely used as licr Apple ID to set up a new Apple 
device. 

"" (L7/TOU0) While the N'YT article did not reseat Clinton's c-mail address — and by default the domain name — it is sen likeiy 
those who tried to gain access to the related Apple iCloud account searched for and found the e-mail address in open sources. 
News articles from 2013 contained a screenshot of Blumcnthal's communication with "hdr22, thereby divulging Clinton's c- 
mail alias. Other outlets mentioned the domain name in articles but w ithheld Clinton's c-mail alias. Clinton's full c-mail address 
could therefore have been ascertained tlrrough piecing together various sources. 

® (L ) Penetration testing, more commonly known as petnesting, is the practice of testing a computer system, netw ork, or web 
application to find vulnerabilities that an attacker could exploit. 

uu (UWOb©) The third iPad the FBI obtained was not actually used by Clinton. Shortly after it was purchased, it was given as 
a gift to a member of her staff, and therefore the FBI did not forensically examine the device. 

1111 (U) RAT is a piece of software that facilitates remote operation of a computet system. 
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worried “someone [was] hacking into her email” given that she -eccived an e-mail frpm a known 

associate containing a link to a website with pornographic material.”' There is no 

additional information as to why Clinton was concerned about someone hacking imp her e-mail 
accou nt, or if the specific link referenced by Abedin was used as a v ector to infect Cl'n Ion' s 
devicel 

[ Open source 

information indicated, if opened, the targeted user' s device may have been infected, and 
information would have been sent to at least three computers overseas, includinu one in 
Russia. 560 ' 56 ] 


Potential Loss of C '/ossified Information 


(U//FOUO) On March 11, 2011, Boswell sent a memo directly to Clinton outlining an increase 
since January 201 1 of cyber actors targeting State employees' personal e-mail accounts. The 
memo included an attachment which urged State employees to limit the use of personal e-mail 
for official business since “some compromised home systems have been reconfigured by these 
actors to automatically forward copies of all composed e-mails to an undisclosed recipient.” 564 
Clinton' s immediate staff was also briefed on cybersecurity threats in April and May 201 1. 565 



(L) In order for malicious c.\ccuiablcs io be effective, the targeted Uosi dev ice lias lo have lire correct program/applications 
installed. If. for example, the host is running an older version of Adobe but the exploit being used is newer, thcic is a chance the 
host will not be infected because the exploit was unable to execute using the older version of the program. 

"""" (L ) A "drop" account, in this case, is an e-mail account controlled by foreign cyber actors and which sen es as the recipient 
of auto-forwarded e-mails from v ictim accounts. 
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(U//FOUO) On or about March 14, 2013, Blumenthal's AOL e-mail account was compromised 
by Marcel Lehel Lazar, aka Guccifer, a Romanian cyber hacker. Lazar disseminated e-mails and 
attachments sent between Blumenthal and Clinton to 31 media outlets including a Russian 

broadcasting company. 3 *! 

f K One of the 

screenshots captured a list of 19 foreign policy and intelligence memos authored by Blumenthal 
for Clinton. 589 The content of one of the memos on the list was determined by State to be 
classified at the CONFIDENTIAL level. 59 " Lazar was extradited from Romania to the United 
States on March 31, 20 16. 591 


(U/ /FOUO ) Between April 25, 2016 and May 2, 2016, Lazar made a claim to FOX News that he 
used information from Blumenthal' s compromise as a stepping stone to hack Clinton' s personal 
server. 592 On May 26, 2016, the FBI interviewed Lazar, who admitted he lied to FOX News 
about hacking the Clinton server. 592 FBI forensic analysis of the Clinton server during the 
timeframe Lazar claimed to have compromised the server did not identify evidence that Lazar 
hacked the server. 594 An examination of log files from March 2013 indicated that IP addresses 
from Russia and Ukraine attempted to scan the server on March 1 5, 201 3, the day after the 
Blumenthal compromise, and on March 19 and March 21, 2013 595 However, none of these 
attempts were successful, and it could not be determined whether this activity was attributable to 
Lazar. 5% 


K. (I I I'OlfO) General Cyber Analysis ( 'onducted 


/C H{\T' /M l 

\ 0 / 1 1 ^ i 


The FBI conducted general cyber research and analysis of e-mail addresses 



i FBI extracted the Thread-Index 0000 and Message-ID PPPP values for each identified 
confirmed classified e-mail relevant to this investigation The values were extracted from the e- 
mail headers™ 0 in order to develop specific electronic signatures that could be used when 
searching for exact references in large data repositories. In an effort to identify whether any 
confirmed classified e-mails may have been compromised through computer intrusion met hods, 
the FBI conducted signature-based searches in available databases, to includi j The 

FBI also provided the unique identifiers to other government agencies, and one entity 


oooo ( ;j) ^ Thread-Index value is a unique, alphanumeric. Microsoft Out look -centric field found in an e-mail's header. The 
identifier is used to track e-mail threads (or conversations). Each time there is a reply or forward in the e-mail thread. Outlook — 
if it is the c-mail client being used — will append additional alphanumeric characters to the e-mail's original Thread-Index value. 
piw (jj) a Mcssagc-ID is a unique identifier found in an e-mail's header. Mcssagc-IDs arc inquired to hav e a specific format and 
be globally unique. Unlike Thread-Index values. Mcssagc-IDs arc unique to every individual e-mail, regardless of w hether two c- 
mails belong to the same tlircad (or cons creation) . 

<l ™ (U) A header precedes the body (content text) of an c-mail. and contains lines (metadata) that identify particular routing 
information. Fields such as "from." To." and ' Date aic iiiimdaion . while edicts arc optional 


r (u /ffo t r er 
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responded.^ To date, the signature-based searches in USG databases have not identified the b 

relevant e-mails. 61 " 



5555 (L VtfOG Q ) Tlic FBI pro\ idcd (he Executive Office of ilic President (COP). Stale Cyber Tlircal Analy sis Division (CTAD). 
and Siaic's Information Resource Bureau (IRB) with Thread-Index and Message- ID values. CTAD found no record of ilic 
signatures pros idcd. EOP staled they could only search "To." "From, and "Subject'' lines, as did Stale IRB. Separately, in an 
attempt to identify whether confirmed classified e-mails resided in unidentified e-mail provider accounts, or whether identified 
accounts forwarded or replied to the classified messages, the FBI explored the possibility of sharing Tluead -Index Value and 
Mcssagc-IDs with e-mail sen ice providers of interest. Google was asked if they could search those header fields in its dataset. 
The company stated it docs not index Thread-Index values, which is the identifier the FBI was most interested in. as it would 
have pros idcd insight into the extent the messages were forwarded. 
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